On April 7, 2014 a vulnerability (CVE-2014-0160, also known as “Heartbleed”) was released that could allow attackers to view sensitive information in a server’s memory such as secret keys and passwords. Given the severity of this problem, Linode has taken the necessary steps to keep our customers and their information safe from potential attacks.
Am I Vulnerable?
Since Heartbleed has been in the wild for over a year, servers could have been compromised for some time. This vulnerability exposes a system to attackers who may extract information without leaving a trace of malicious activity.
A tool has been published that allows administrators to test the vulnerability of their system. If your site has an SSL certificate, go to the Heartbleed test page, enter your website URL, and run the vulnerability test. The source of this tool can be found on GitHub. Please note a passing score does not mean your system isn’t vulnerable in another way. Software that was compiled against the old library will need to be recompiled.
Is Linode Vulnerable?
As soon as this vulnerability was disclosed, our security team completed upgrades on all our infrastructure to patch the bug. Due to the nature of the issue, we’re in the process of completing a full audit of our systems and regenerating affected certificates.
Protecting Your System
We’re encouraging all Linode customers to run software updates and recompile software compiled against vulnerable libraries. At this time, all of our package mirrors have been updated with packages that contain fixes for this issue. If you’d like to know more about patching your system and reissuing SSL certificates, please view our guide in the Linode Library.
Filed under: announcements by Linode Security Team